Security overview

Thermo Fisher Connect is hosted by an Amazon® Web Services (AWS) data center that has achieved the highest levels of SSAE 16 certification and has published a Service Organization Control 1 (SOC 1®) report.

In April 2010, the American Institute of Certified Public Accountants (AICPA) announced the retirement of SAS 70 to be replaced by SSAE (Statement on Standards for Attestation Engagements) 16.

SAS 70 did not set any standards for data center excellence; it merely verified that the controls and processes set in place by a data center were actually followed. It was also intended to report on the financial controls of an organization. SSAE 16 not only verifies controls and processes, but also requires verification of design and operating effectiveness.

There are two types of SSAE 16 audits:

Type 1: Auditors test the accuracy of the service provider's description and assertion.

Type 2: Auditors test the accuracy of the service provider's description and assertion, as well as the implementation and effectiveness of controls over a specific period of time.

In addition to SSAE 16, a new framework for examining the controls at a service organization has been established by three Service Organization Control (SOC) reports.

Amazon Web Services has achieved SSAE 16 certification and has published a Service Organization Control 1 (SOC 1) report. Although not legally required, we can provide a copy of our audit of the SOC 1 report upon formal request.

Multi-tenancy software is designed to allow multiple users access to the same software simultaneously, in a controlled and segregated manner, such that individual users can access only their own data. User access is controlled through an authentication system.

Secured coding and code management

Yes. We used industry-standard secured coding best practices throughout the development lifecycle. Our code base was rigorously reviewed and tested for security vulnerabilities and also audited by third-party security experts on a recurring basis.

Yes, all of the underlying systems within the Thermo Fisher Connect platform use a host base intrusion detection system (IDS) to monitor and analyze all traffic to detect possible intrusion. The IDS automatically feeds data into our Security Event & Incident Management (SEIM) system for real-time alerts and notifications.

Yes, the Thermo Fisher Connect platform is protected by firewalls. Firewalls are deployed between each network segment to isolate and control access between the systems in each tier to prevent potential intruders from directly accessing backend systems.

In transit: Data uploaded from a user’s computer/instrument to Thermo Fisher Connect is encrypted using HTTPS/SSL with a 2048-bit SSL certificate.

At rest: Yes. At the data storage layer, our system uses server-side AES 256-bit encryption provided by Amazon Web Services (AWS) to secure all data. The data is more secure than it would be if stored on a typical unencrypted desktop/laptop computer.

256-bit encryption means that there are 2^256 (2 to the 256th power) possible combinations. This means it would take the fastest super computer available today more than 9^50 years to complete the decode process.

User data is retained indefinitely as long as an account is in “active” status. Accounts will be “deactivated” upon a user’s request to discontinue the service or if the account is delinquent according to our "Terms of Use."

Data transmission security

All communication and data transmission between the user’s computer and Thermo Fisher Connect is secured with proven, industry-standard SSL encryption. This security measure at the transit layer is very much the same as that used by online banking institutions; it protects data transmission from being hijacked or sniffed over the wire during transfer. This is much more secure than passing data on USB drives (un-encrypted) and sending data via email.

Yes, collaboration and sharing of data is secure. Only the data owner can initiate sharing. The recipient will then have permission to access the data from his/her browser via secured HTTPS. Data is not transferred to the recipient. By sharing, the recipient will simply have permission to access the data from the data owner's folder. This “shared” access can be revoked by the data owner at any time.

No, Thermo Fisher Connect and associated analysis software receive data but do not initiate connections to the user's network devices. If needed, users can initiate a download of data and analysis results onto their computer.

Each user is assigned a password-protected account. All data uploaded by that user can be viewed only by that user. Each user account is segmented so that no other users have access to the data except when the data is shared. This “shared” access can be revoked by the originator at any time.

Our security team performs security tests against the OWASP Top 10 Security Threats (see figure below) and ensures that any vulnerabilities are fixed through a combination of code and configuration changes.

Protection against viruses/malware in a software-as-a-service (SaaS) environment such as Thermo Fisher Connect is a shared responsibility between the provider and the end user. It is extremely important that Thermo Fisher Connect users do their part by protecting their computers with an up-to-date anti-virus/anti-malware program.

Thermo Fisher Scientific has deployed all appropriate and current security best practices to ensure that our Thermo Fisher Connect platform and the software applications running on it are not infected with viruses/malware that would damage the end user’s computer if he or she clicked on links or accessed features or software functionalities. Please refer to other Thermo Fisher Connect FAQs for details regarding the multi-level security measures that were implemented on the Thermo Fisher Connect platform. Additionally, the Thermo Fisher Connect platform does not reference or link to other external or third-party websites, which helps to ensure that we don’t contact or spread malicious software.

No. Thermo Fisher Connect and software applications running on it are SaaS based, which means there is nothing that needs to be installed on the end user’s computer to run it. Users simply need a web browser and internet connectivity to access and use our platform. Antivirus software (e.g., McAfee® software) that is installed on the end user’s computer will not have any compatibility issues with our platform as long as one of our supported web browser versions is used to access the system.